IETF Logo Mail Archive

Re: [Acme] Handling non-conformant CAA property names in ACME-CAA

Corey Bonnell <CBonnell@trustwave.com> Tue, 10 July 2018 12:09 UTC

Return-Path: <CBonnell@trustwave.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFEF6131131 for <acme@ietfa.amsl.com>; Tue, 10 Jul 2018 05:09:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=trustwave.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AP2d8oDZ5rbQ for <acme@ietfa.amsl.com>; Tue, 10 Jul 2018 05:09:27 -0700 (PDT)
Received: from seg-node-chi-03.trustwave.com (seg-node-chi-03.trustwave.com [204.13.200.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3FF1130E75 for <acme@ietf.org>; Tue, 10 Jul 2018 05:09:27 -0700 (PDT)
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (Not Verified[216.32.181.113]) by seg-node-chi-03.trustwave.com with Trustwave SEG (v8, 0, 6, 10791) (using TLS: TLSv1.2, AES256-SHA256) id <B5b44a1f40003>; Tue, 10 Jul 2018 07:09:24 -0500
Received: from SN6PR07MB4575.namprd07.prod.outlook.com (52.135.95.19) by SN6PR07MB5039.namprd07.prod.outlook.com (52.135.121.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.20; Tue, 10 Jul 2018 12:09:22 +0000
Received: from SN6PR07MB4575.namprd07.prod.outlook.com ([fe80::d0e2:e12:541d:c131]) by SN6PR07MB4575.namprd07.prod.outlook.com ([fe80::d0e2:e12:541d:c131%2]) with mapi id 15.20.0930.022; Tue, 10 Jul 2018 12:09:22 +0000
From: Corey Bonnell <CBonnell@trustwave.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>, Roland Shoemaker <roland@letsencrypt.org>, "acme@ietf.org" <acme@ietf.org>
CC: Hugo Landau <hlandau@devever.net>
Thread-Topic: [Acme] Handling non-conformant CAA property names in ACME-CAA
Thread-Index: AQHUCNfwmw4vM10pkkesYQHeJVFYOaSHwCKAgAB4y4A=
Date: Tue, 10 Jul 2018 12:09:22 +0000
Message-ID: <AD5192BA-2792-4C4F-98DF-C2789C423A9C@trustwave.com>
References: <DC2B6BEA-713F-468E-A374-97C3A01CFEAF@letsencrypt.org> <63753ab2-2b4b-ec15-f357-373b7e681aab@eff.org>
In-Reply-To: <63753ab2-2b4b-ec15-f357-373b7e681aab@eff.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=CBonnell@trustwave.com;
x-originating-ip: [204.13.202.248]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR07MB5039; 7:+EK5RzSstZ7OswzNfQuH7RRZWJTe7rUoqOT5UENLFMzQ1GwsRBnNmwH8v8vbdCCQTL6bSUo7b3bDfFXJcJZVAJjr0VL1adznIh49IhiSHL4/ftd6cnaZIiQcvg3gvD9VtMkkn9eJXJsapP1XoFZum92viMrqTrpIAcQ4j+HmpSZ7nYo8DAYUWDKdTyokDAU3+Oodd/gawn/zrLxwwu8qN2z+4HRsoHfYIe+ilV/ToEnEAsnDmTKm9S+b35yiXUt5
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 47169f5e-9158-4ae2-4917-08d5e65df8c4
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:SN6PR07MB5039;
x-ms-traffictypediagnostic: SN6PR07MB5039:
x-microsoft-antispam-prvs: <SN6PR07MB5039380BBD0D62EC2E450E0FCF5B0@SN6PR07MB5039.namprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(232896897485771)(192374486261705)(171964332516350);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231311)(944501410)(52105095)(3002001)(149027)(150027)(6041310)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:SN6PR07MB5039; BCL:0; PCL:0; RULEID:; SRVR:SN6PR07MB5039;
x-forefront-prvs: 0729050452
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(376002)(39860400002)(366004)(136003)(52054003)(189003)(199004)(68736007)(476003)(4326008)(83716003)(110136005)(53936002)(316002)(105586002)(106356001)(6246003)(2906002)(86362001)(478600001)(486006)(5660300001)(2501003)(5250100002)(6512007)(26005)(6306002)(25786009)(82746002)(2616005)(14444005)(446003)(15974865002)(66066001)(102836004)(99286004)(36756003)(6116002)(72206003)(966005)(80792005)(8936002)(186003)(6486002)(33656002)(229853002)(6506007)(81156014)(7736002)(14454004)(305945005)(256004)(8676002)(81166006)(6436002)(97736004)(3846002)(76176011)(11346002)(2900100001)(19400905002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR07MB5039; H:SN6PR07MB4575.namprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: trustwave.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 6xkPIaqqpYvxCRJA3YdZcZ8eG12KgKSRCP8XbDi4CiKjoKW1P1RxmnYogq0tDT6qI5vysTvvr2IIKR4QK5qk0GI7VW3DFyQnc5qSXaZYMifndD5+2NeIbBXPFF9VmCjatGvTjljL2iBdKXTQCbyflvGMUmxWaIwjskoL8//r+eqzDJyYEGxKbxa2lwSz8HNpmK36l7NLpSpk9aDGH0zmFTHvMQl/D+/9Gt/HCqKmOE4sWxcEloYhRZMx1sRp+VZvFzHsa5QMFT4D8dRD/7ffYaO8qquYRs6KuV2eeUQjhfMOiWOIZ95mgXXNYeEgDiW+REijc0QcmPBugvpvDvFAl8dQvitYg4rkXf/BGV4SC2Y=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <F27E1C65C7036E45B991534782BB8FD6@namprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: trustwave.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 47169f5e-9158-4ae2-4917-08d5e65df8c4
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2018 12:09:22.1503 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cb1dab68-a067-4b6b-ae7e-c012e8c33f6a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR07MB5039
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trustwave.com; s=080318_segcloud; t=1531224565; bh=Vx51PmCZmoCCiJWUR24BX9sEO3pijs3SSfxsCh19k/s=; h=From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:authentication-results: x-originating-ip:x-ms-publictraffictype: x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics: x-ms-office365-filtering-correlation-id:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-exchange-antispam-report-test:x-ms-exchange-senderadcheck: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf: x-microsoft-antispam-message-info:spamdiagnosticoutput: spamdiagnosticmetadata:Content-Type:Content-ID: Content-Transfer-Encoding:MIME-Version:X-OriginatorOrg: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id: X-MS-Exchange-Transport-CrossTenantHeadersStamped; b=YtNLpsCy7oxCj0Ijjv3Qu0C1HYKFYCPM3hywGHXrCag9KgpGzug9oBjqe4NVli8he lCvh4C9/l9rmOG6U0XlujQDxuJ3rZ/0UjekuU5uIbD3VJI0Vrfbwz+IlvXLpYX/U1J zyn5+AFs9u9C3fYGuEOaKy+3eDZClPbAwYY6JIpfWqOIV92HAEr72eXXikHC8LfJen LmxsAR9lpNtBBAx09eVhykdP0BsdKxmM/fazQRgBPyYqa0wef5S5aEmcJWBfJ/uD00 thIkMyMFFPbjKL6vggNdgIdacfRImj/cMYbSj5MkkIhNrh9vaWZFDAbR+ktorDUHz7 jIt0X0sGqSp8g==
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/zV6EA0mwbP0kumRXIEj1KSu7QCg>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 12:09:31 -0000

Hi Jacob,
Perhaps not as elegant and concise, but a workaround would be to temporarily (until 6844-bis gets incorporated into the Baseline Requirements) prohibit multiple parameters in the same CAA record and instead require that multiple parameters span multiple issue/issuewild records with the same Issuer Domain Name.

For example, the following CAA issue record:
CAA 0 issue "acmeca.com; validationmethods=http-01; accounturi=https://api.acmeca.com/acct/1"

could be expressed with two records:
CAA 0 issue "acmeca.com; validationmethods=http-01"
CAA 0 issue "acmeca.com; accounturi=https://api.acmeca.com/acct/1"

This isn't very DRY, but this would avoid interoperability conflicts with tooling and other CAs that refuse to issue certificates when encountering CAA records with invalid syntax.
 
Thanks,
Corey Bonnell
Senior Software Engineer

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

On 7/9/18, 8:57 PM, "Acme on behalf of Jacob Hoffman-Andrews" <acme-bounces@ietf.org on behalf of jsha@eff.org> wrote:

    There's a similar issue for parameters: RFC 6844 section 3 says each 
    name-value pair is separated by a semicolon:
    
    https://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgDUDQNU2fg&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2frfc6844%23section-3
     >    issue <Issuer Domain Name> [; <name>=<value> ]* :  The issue property
    
    RFC 6844 section 5.2 says each name-value pair is separated by a space:
    
    https://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgDVWTd4-IA&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2frfc6844%23section-5%2e2
     >    issuevalue  = space [domain] space [";" *(space parameter) space]
    
    
    For 6844-bis, in the LAMPS WG, we concluded that the latter was most 
    likely an error in the ABNF, and that semicolons were preferable:
    
    https://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgGJWEd4-KQ&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2fdraft-ietf-lamps-rfc6844bis-00%23section-5%2e2
     >    parameters = (parameter *WSP ";" *WSP parameters) / parameter
    
    
    ACME-CAA's examples use semicolons:
    
    https://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgGJSE40wKQ&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2fdraft-ietf-acme-caa-03%23appendix-A
     > http://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgDAHRt8wew&s=5&u=http%3a%2f%2fexample%2ecom IN CAA 0 issue "http://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgGRQFokzLA&s=5&u=http%3a%2f%2fexample%2enet%3b \
     >     account-uri=https://example.net/account/1234; \
     >     validation-methods=dns-01"
    
    
    We resolved the hyphen question on the basis of interoperability: Some 
    DNS UIs rejected setting CAA records with hyphens in property names, so 
    we did the simple thing and removed them.
    
    The semicolon question is not so easily solved. There is no unambiguous 
    reading of RFC 6844, no reason to consider section 3 more normative than 
    section 5.2 or vice versa.
    
    I have one piece of interop data: While Route53 rejected hyphens in 
    property names, it accepts semicolons separating name-value pairs.
    
    My preference is for ACME-CAA to continue follow the RFC 6844bis 
    interpretation. What are others' thoughts?
    
    _______________________________________________
    Acme mailing list
    Acme@ietf.org
    https://scanmail.trustwave.com/?c=4062&d=9ITE2_Zkd4Asykvo5V46RlY2wgex49JVgGMHRNQ_Kw&s=5&u=https%3a%2f%2fwww%2eietf%2eorg%2fmailman%2flistinfo%2facme

v2.23.0 | Report a Bug | By Email